How to Enable Controlled Folder Access Using Group Policy

This post describes how to enable Controlled folder access using Group Policy. With the latest versions of Windows 10, Microsoft has really worked hard on improving Windows defender. The AV features that most of the customers were looking for are now available in Windows Defender. While most of the antivirus softwares have already got advanced features, Windows defender too gets new features with every update.

We all know that Microsoft introduced host intrusion prevention functionalities in Windows 10. The idea behind this is to prevent the user data from unsafe apps. One of the important feature of Windows Defender Exploit Guard is Controlled folder access. This feature protects important data from malicious apps and threats. Once any ransomware enters a computer, it encrypts the files and demands ransom to unlock it. Since this is a common behavior of ransomware, securing the files and folders is first preventive step.

Controlled folder access can be enabled by using one of the following ways.

Group Policy

Windows Defender app

PowerShell

MDM CSP’s

So how does this work ?. With controlled folder access enabled, the apps are monitored for any suspicious activities. All the apps installed are scanned in depth by Windows Defender antivirus. In addition the Windows defender will then determine whether the app is safe or malicious. If it finds the app to be malicious, the app will be blocked from making changes to the files located inside protected folders. Also a notification will be shown to the user about the app being blocked by windows defender.

By default Windows system folders are protected with controlled folder access feature. The below screenshot shows the default system folders that are protected. By clicking Add a protected folder, a user can add additional folders to the list.

Double-click the Configure Controlled folder access. To enable the policy click Enabled. You see 3 options to configure the guard my folders feature.

Disable – This is the default option. Not a secure option though as any app can modify / delete files in protected folders.

Block – This is a strict mode where untrusted apps cannot make any changes to files insides protected folders. Enable this with caution as it may affect organization’s productivity.

Audit Mode – In the audit mode untrusted apps are allowed to make changes (modify/delete) to files inside protected folders. However each of the activity is logged in the windows event log.

Select Audit mode and click Apply and OK.

Once you have used group policy to enable and manage controlled folder access, there are 2 more policy settings. Configure Allowed applications and Configure Protected folders.

Configure Allowed Applications

With this policy setting, the applications added to the list are marked as trusted by controlled folder access. To enable the policy setting, click Enabled and to add the list of apps click Show button. A window pops up where you can enter the app path in value name field. Enter 0 as value for all the applications that you add to the list.

Launch the PowerShell and type the command “get-mppreference“. In the output, the allowed apps are seen next to ControlledFolderAcessAllowedApplications.

Configure Protected Folders

The policy setting allows admins to configure protected folders. Untrusted applications cannot modify/delete folders added to list of protected folders. Double click the policy setting “Configure Protected Folders”. Click Enabled and to add the folders click Show. In the new window, add the folder path under value name and set the value to 0. Click Apply and OK.

Launch PowerShell and type the command get-mppreference. Look for value ControlledFolderAccessProtectedFolders to see folders that you just added.

When I attempt to use GP to implement this in a domain environment this path – “Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access” – does not exist. I’m running Server 2012r2 Standard with a GUI and 90% of my PCs are running Windows 10 version 1709. I only see Windows Components > Windows Defender (without the ‘Antivirus’ part on the end), that’s it. I do, however, see this path when browsing to the local policy on a Windows 10 PC. I’ve enabled real-time protection in GP but no luck. Any other ideas? Is this something I can control with a GPO in a server 2012r2 environment with a domain function level of 2012r2.

Hii, Prajwal Desai. My name is Jeremiah and I am from Nigeria. I’m an IT/computer engineer and I am committed to growing every day in IT knowledge. I am I came across your site. You are doing a great work. I would like to learn more from you. Are there any materials or video you can share with me … I hope to hear from you.